STIGQter: STIG Summary: Oracle Database 11g Instance STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:

The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.

DISA Rule

SV-55940r2_rule

Vulnerability Number

V-16053

Group Title

Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter

Rule Version

DO6750-ORACLE11

Severity

CAT II

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Set the value for the sec_protocol_error_further_action initialization parameter to DROP or DELAY.

DROP provides better protection and is recommended.

From SQL*Plus:

alter system set sec_protocol_error_further_action = 'drop' scope = spfile;
OR
alter system set sec_protocol_error_further_action = 'drop,3' scope = spfile;

NOTE: The addition of the ‘,3’ above further limits the number of ‘bad packets’ to the specified number before forcefully terminating the connection.

The above SQL*Plus command will set the parameter to take effect at next system startup.

Check Contents

From SQL*Plus:

select upper(value) from v$parameter
where name = 'sec_protocol_error_further_action';

If the value returned does not include DROP or DELAY, this is a Finding.

Vulnerability Number

V-16053

Documentable

False

Rule Version

DO6750-ORACLE11

Severity Override Guidance

From SQL*Plus:

select upper(value) from v$parameter
where name = 'sec_protocol_error_further_action';

If the value returned does not include DROP or DELAY, this is a Finding.

The Oracle SEC_PROTOCOL_ERROR_FURTHER_ACTION parameter should be set to a value of DELAY or DROP.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments